Use htmlspecialchars when parsing a URL see #7564.

jmontoyaa · jmontoyaa · commit ba947ae6376f · 2015-03-04T09:50:19.000+01:00
diff --git a/main/inc/lib/display.lib.php b/main/inc/lib/display.lib.php
@@ -832,7 +832,8 @@ public static function tag($tag, $content, $additional_attributes = array())
     public static function url($name, $url, $extra_attributes = array())
     {
         if (!empty($url)) {
-            $extra_attributes['href']= $url;
+            $url = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
+            $extra_attributes['href'] = $url;
         }
         return self::tag('a', $name, $extra_attributes);
     }

Original file line number	Diff line number	Diff line change
`@@ -832,7 +832,8 @@ public static function tag($tag, $content, $additional_attributes = array())`
`832`	`832`	`public static function url($name, $url, $extra_attributes = array())`
`833`	`833`	`{`
`834`	`834`	`if (!empty($url)) {`
`835`		`- $extra_attributes['href']= $url;`
	`835`	`+ $url = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');`
	`836`	`+ $extra_attributes['href'] = $url;`
`836`	`837`	`}`
`837`	`838`	`return self::tag('a', $name, $extra_attributes);`
`838`	`839`	`}`